Aussie businesses would snub free security audits

Just like their UK counterparts.

Despite the current focus on security stemming from the massive data breaches that resulted from hackers exploiting low- and high-level system vulnerabilities, few businesses in the UK and Australia are interested in auditing systems -- even when they're free.

The head of the UK's Information Commissioners Office (ICO), Christopher Graham, on Wednesday complained that the bulk of private businesses his office had offered free security and privacy audits to had snubbed them.

Just 19 per cent of the businesses his officers contacted took up the free offer, which was aimed at ensuring its private sector complied with the nation’s data protection laws.
“Lenders, general businesses and direct marketing companies account for almost a third of total complaints to the ICO, and businesses were the top sector for reporting data security breaches to us last year,” said Graham.

Perhaps the most widely reported of those breaches occurred at pirate hunting UK law firm, ACS Law, which inadvertently posted its email database during the restoration of its website after suffering a distributed denial of service attack.

“Despite this, many of them are still resisting our offer to undergo audits," Graham continued. "We’ve written to organisations we consider to be high risk but the response has been disappointing.”
Public sector agencies were more willing to undergo the data protection audits, with 71 per cent agreeing to the process. Still, just 30 of the 100 organisations which had been made the offer took it up.
Graham insisted that the audits were not about “naming and shaming”, despite having done just that to several National Health Service organisations in the past week.

The private sector audit drive was in partially a response to the fact that 186 of 603 the breaches reported to the ICO in 2010/11 occurred in that sector.

Australia’s not so different landscape.
If Australia’s Office of the Information Commissioner were to make a similar offer, it would probably record an even lower uptake, according to IBRS security analyst, James Turner.
“Most organisations wouldn't be able to take advantage of it because they simply don't have sufficient staff to take on extra load that the results of such an audit would probably require,” he told

Jason Edelstein, chief technology officer of security firm, Sense of Security, said that staffing shortages in the public sector would undercut such efforts, but that the private sector had become more cautious as a result of the spate of attacks by groups like Lulz Security and Anonymous.

“As most government departments are terribly understaffed they would be reluctant to facilitate such an audit,” Edelstein told

“Once it is on record there are issues they are forced to put in place an action plan with remediation deadlines, but with limited funding and resources how would they remediate?”

On the other hand, Edelstein claimed to have “a number of organisations” currently undergoing privacy audits in response to the attacks launched by Anonymous and Lulzsec.

“Many of them are starting to design solutions around the encryption of PII,” he said.

But Australia faced a broader underlying challenge that gave public and private sector organisations little incentive to respond to real or perceived threats.

Australia has such skimpy privacy laws that very few organisations are incentivised to take this issue seriously,” said Turner.

“When the office of the privacy commission wants to get militant, the best they can punish an organisation with is a sternly worded press release.”

In contrast, the UK’s information commissioner was recently granted authority to issue fines up to £500,000 (AU$747,000) for significant data breaches.

Australian organisations were made a similar discounted audit offer, according to proprietor of penetration testing firm, Hack Labs, Chris Gatford, but few took it up.

“The NSW Auditors General Department tried a similar program, offering to pay 50 per cent of any security assessment piece of work. This ultimately was retired as very little uptake occurred,” he said.

That offer's appeal was tarnished by the plan for audit results to be shared with Attorney Generals Department’s Computer Network Vulnerability Assessment program, which was part of its Trusted Information Sharing Network for critical infrastructure providers.

Gatford agreed that giving Australia’s Information Commissioner some teeth could make conducting such audits worthwhile.

“The data protection act has a some teeth in the UK, where here, in Australia, we really don't seem to have any legal muscle or if we do it is not being flexed,” he said.

“I have yet to see any action taken to penalise organisations for loss of sensitive data on Australian residents,” he added, pointing to the Australian Privacy Commissioner’s response to last year’s Vodafone breach.

Businesses should be assessing the maturity of their security and governance program, said Gatford, and if that was not possible, an audit against best practice of all common IT security control domains was a good starting point.

Edelstein recommended annual penetration tests, ongoing vulnerability management, encryption of personally identifiable information and the implementation of a data classification policy that reflected the security requirements for different types of information.


Join the CSO newsletter!

Error: Please check your email address.

Tags auditing systemsChris Gatforddata breachesNational Health Service (NHS)James TurnerNSW Auditors General DepartmentIBRSJason EdelsteinACS Law

More about Australian Computer SocietyetworkIBRSICOSense of SecurityVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts